Malware Through Fake Google Site

SurfControl has detected the fake Google website that is complete with an actual Google URL. The website uses ActiveX controls in Internet Explorer with the aim to install a collection of malware. These days, this hoax site is hosted on an advanced domain for Belize.

The website has adopted 'typosquatting' technique to imitate an authentic looking domain and provides a Google page that looks exactly like the original. The spoof Google site tries to install ActiveX controls on the targeted computer. The installation is possible automatically only if the Internet Explorer security configurations allow automatic installation of ActiveX controls. If the end user's browser does not have this configuration, then he/ she will have to accept the installation once the person visits the site, and let infection occur on the machine. In addition to this malware, the Internet Explorer homepage itself is converted to a website containing adult contents.

Apart from hijacking the browser, the Web site installs a 'keylogging Trojan' that observes the user's keystrokes and transmits information to a remote attacker. The various types of malware involved in the keylogging and adware capabilities are 'Agent.zs.Trojan', 'Agent.lk.Trojan', Small.hj.Trojan', 'Agent.wd.Trojan' and many others.

Further, SurfControl has seen cases of machines with infection that try to send out spam mail, possibly with malicious code.

Seemingly simple, the scam has adroit combination of strategies. All phishing scams use parts of established websites to pose authentic. But in this case, the precise reproduction of an entire page accompanied with a convincingly false web address is rather unusual. Since the spam mail appears to originate from Google, it increases the recipients' chances of clicking on the link.

Google has had similar attacks before. On September 2006, scammers forged the search page of Google to spread a worm. More currently, a Trojan attacked Google's 'adsense advertisements', substituting them in the browser with fake ones on a computer infected with malware.

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 10/20/2006